Wednesday, July 3, 2013

Enable networking in VENET OpenVZ container

I followed the instruction from OpenVZ website fo quickly create an VENET container, but it took me a while to enable networking.
Environment: CentOS 6.4 as the server, and try to create an centos-6-x86_64 container

Here is the instruction from OpenVZ website:

https://openvz.org/Quick_Installation_CentOS_6

Create a VENET Container

  • Create a CT
# vzctl create 101 --ostemplate centos-6-x86_64 --config vswap-1g
  • Configure the CT
# vzctl set 101 --save --name server101
# vzctl set 101 --save --onboot yes
# vzctl set 101 --save --hostname server101.example.com
# vzctl set 101 --save --ipadd 192.168.1.101
# vzctl set 101 --save --searchdomain example.com
# vzctl set 101 --save --nameserver 8.8.8.8 --nameserver 8.8.4.4
# vzctl set 101 --save --cpus 4
# vzctl set 101 --save --ram 8G
# vzctl set 101 --save --swap 4G
# vzctl set 101 --save --diskspace 100G
# vzctl start 101
# vzctl exec 101 passwd
  • Done. Enjoy your new VENET container



The instruction is correct, but there are 3 things you may want to pay attention.

1. set up a correct nameserver.
If you are setting up a real server, you can use command $dhclient, and it automatically identify the nameservers and write them into /etc/resovl.conf file. In OpenVZ container, we need to set it up manually.

2. use a correct IP.
In my case, I followed the instruction, and use IP address as 192.168.1.101, which causes me problem to connect to internet in the container. Then, I changed the IP address to 192.168.0.101, and the container can ping google successfully. I think this is because there are internal setting in my subnet, and they may have some IP restrictions.

3. set up a correct IP tables in host node.
Because I used Cent OS 6.4 as my host server, it has IP tables firewall enabled. One simpler solution is to run command $ iptables --flush, it clean all of the IP table rules, but it comes back after reboot. If you want to permanetly change the iptable settings, you need to add a rule to allow the connection from the container to the Internt.

Additionally, take read this page: https://openvz.org/Common_Networking_HOWTOs
My experiments have been working with private IP inaccessible from LAN (case 1) and public static IP accessible from the same LAN (case 2).

Note that, we need to change the interface name (run ifconfig to see which interface that connections to the outside on host) to run this command that enables ping google from the containers.
[host-node]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)